jakobhusu/age-seed-keygen
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f1889629f674d372765c7fb9400f07864f222cb
age-seed-keygen/README.md
T
jakobhusu 1f1889629f Add age-seed-keygen CLI tool 
Generates and recovers age X25519 identity keys from a BIP39 24-word
mnemonic. Uses 256 bits of entropy mapped directly to an X25519 private
key, encoded in the standard age identity file format (AGE-SECRET-KEY-1…).

Commands:
  generate  — create a new age identity and print the 24-word mnemonic
  recover   — reconstruct the exact same identity from the mnemonic

Dependencies: bech32, cryptography, mnemonic. Setup via setup.sh.
2026-05-20 15:55:53 +02:00

2.2 KiB
Raw Blame History

age-seed-keygen

An age identity generator with a BIP39 recovery phrase. Every key comes with 24 words you can write down — lose the file, say the words, get it back.

The idea

age X25519 identity keys are 32 random bytes. BIP39 is a standard for encoding random bytes as human-readable words (the same standard hardware wallets use). This tool generates 256 bits of entropy, turns it into both an age identity and a 24-word mnemonic, and gives you both. Recovery is the reverse — give back the 24 words, get back the exact same identity.

If you already use ssh-seed-keygen, you can back up both an SSH key and an age identity from a single mnemonic — or keep them separate. Either way, one piece of paper is all you need.

Getting started

bash setup.sh

Creates a virtualenv and installs the three dependencies.

Generating an identity

.venv/bin/python keygen.py generate

Writes the identity file to ~/.config/age/key.txt by default, then prints your 24 words. Write them down somewhere offline.

# different output path
.venv/bin/python keygen.py generate -o ~/my-age-key.txt

Recovering an identity

# pass the words directly
.venv/bin/python keygen.py recover word1 word2 ... word24

# or run it and paste when prompted
.venv/bin/python keygen.py recover

Same -o flag applies if you want the recovered file somewhere other than the default path.

Using the identity

The output file is a standard age identity file — it works directly with the age CLI:

# encrypt a file
age -r age1<your-public-key> secret.txt > secret.txt.age

# decrypt using the identity file
age --decrypt -i ~/.config/age/key.txt secret.txt.age > secret.txt

Protecting the identity file

The identity file is written with mode 0600. If you want to encrypt it at rest, use age itself:

age --passphrase -o key.txt.age ~/.config/age/key.txt
rm ~/.config/age/key.txt

Decrypt before use:

age --decrypt key.txt.age > ~/.config/age/key.txt

One thing to keep in mind

The mnemonic encodes the private key directly. Anyone with those 24 words has your identity. Treat them at least as carefully as the key file itself.

Reference in New Issue View Git Blame Copy Permalink